Experiencing a Security Breach?

24 Hour Hotline: +1 (866) 659-9097 Option 5

General

+1 (312) 873-7500

Monday - Friday 8:00 AM - 6:00 PM CT (UTC -6)

Sales

Contact a Trustwave solution specialist.

+1 (888) 878-7817

Monday - Friday 8:30 AM - 5:30 PM CT (UTC -6)

Loading...

Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

A Friday Afternoon Troubleshooting Ruby OpenSSL... it's a trap!

Last Friday I was trying out some new code that one of mycolleagues wrote to help automate some of the work involved in releasing newversions of the TrustKeeper Scan engine.&nbsp;One of the many things the code did was send emails. I hate writingboilerplate emails, so I was excited to put it to use and save myself some precioustime.&nbsp; Unfortunately, when I ran the codefor the first time, it crashed with the following error when trying to connect to our Exchange Server...

Now, this error is pretty self-explanatory and having spenttime working with other Ruby libraries that utilize OpenSSL, this basicallymeans that we're failing to verify the certificate of the server we'reconnecting to.&nbsp; The interesting part tome, was that when I visit this URL with Chrome and other web browsers, theysuccessfully verify the certificate provided.&nbsp;Weird huh?

In this blog post, I'll explain some of the digging around Ihad to do to get to the bottom of this issue and some other interesting bits Ifound along the way.

A Gem, Inside a Gem, Inside a Gem, Inside a Gem

First of all, Ruby Gems are pretty cool because you can usethem as building blocks to build something bigger badder and meaner.&nbsp; One of the tricky aspects of having such astructure like this is tracking down who's responsible for an error when yourun into problems.

In our case, we were using the Ruby Viewpoint gem.&nbsp; The Viewpoint gem provides a thin layer ontop of Microsoft Exchange Web Service (EWS) and lets you do all kinds of funthings with Exchange, including sending emails.&nbsp;After getting the above error, I was able to track the failure down throughthe gem dependency chain down to it's source, which turned out to be just a couplegems deep.